Permissions for Amazon SNS topics - Amazon DevOps Guru

Permissions for Amazon SNS topics

Use the information in this topic only if you want to configure Amazon DevOps Guru to deliver Amazon SNS topics owned by a different account than yours.

For DevOps Guru to deliver an Amazon SNS topic owned by a different account, you must attach to it a policy that grants DevOps Guru permissions to send notifications to it. If you configure DevOps Guru to deliver Amazon SNS topics owned by your account, then DevOps Guru adds a policy to the topics for you.

Note

DevOps Guru currently only supports cross-account access in the same Region.

To use an Amazon SNS topic from another account, attach the following policy to the existing Amazon SNS topic. For the Resource key, topic-owner-account-id is the account ID of the topic owner, topic-sender-account-id is the account ID of the user who set up DevOps Guru, and devops-guru-user-name is the individual IAM user. You must substitute appropriate values for region-id (for example, us-west-2) and my-topic-name. 


 {
     "Version": "2012-10-17",
     "Statement": [{
             "Sid": "EnableDevOpsGuruServicePrincipal",
             "Action": "sns:Publish",
             "Effect": "Allow",
             "Resource": "arn:aws:sns:region-id:topic-owner-account-id:my-topic-name",
             "Principal": {
                 "Service": "region-id.devops-guru.amazonaws.com"
             },
             "Condition": {
                 "StringEquals": {
                     "AWS:SourceAccount": "topic-sender-account-id"
                 }
             }
         },
         {
             "Sid": "EnableAccountPrincipal",
             "Action": "sns:Publish",
             "Effect": "Allow",
             "Resource": "arn:aws:sns:region-id:topic-owner-account-id:my-topic-name",
             "Principal": {
                 "AWS": ["arn:aws:iam::topic-sender-account-id:user/devops-guru-user-name"]
             }
         }
     ]
 }

After you add a topic, we recommend that you make your policy more secure by specifying permissions for only the DevOps Guru notification channel that contains your topic.

Update your Amazon SNS topic policy with a notification channel (recommended)

  1. Run the list-notification-channels DevOps Guru AWS CLI command.

    aws devops-guru list-notification-channels

  2. In the list-notification-channels response, make a note of the channel ID that contains your Amazon SNS topic's ARN. The channel ID is a guid.

    For example, in the following response, the channel ID for the topic with the ARN arn:aws:sns:region-id:111122223333:topic-name is e89be5f7-989d-4c4c-b1fe-e7145037e531

    {
  "Channels": [
    {
      "Id": "e89be5f7-989d-4c4c-b1fe-e7145037e531",
      "Config": {
      "Sns": {
          "TopicArn": "arn:aws:sns:region-id:111122223333:topic-name"
        }
      }
    }
  ]
}

  3. In the Condition statement of your policy, add the line that specifies the SourceArn. The ARN contains your Region ID (for example, us-east-1), the AWS account number of the topic's sender, and the channel ID you made a note of.

    Your updated Condition statement looks like the following.

    "Condition" : {
  "StringEquals" : {
    "AWS:SourceArn": "arn:aws:devops-guru:us-east-1:111122223333:channel/e89be5f7-989d-4c4c-b1fe-e7145037e531",
    "AWS:SourceAccount": "111122223333"
   } 
 }

If AddNotificationChannel is unable to add your SNS Topic, check that your IAM policy has the following permissions.

{
     "Version": "2012-10-17",
     "Statement": [{
           "Sid": "DevOpsGuruTopicPermissions",
           "Effect": "Allow",
           "Action": [
                 "sns:CreateTopic",
                 "sns:GetTopicAttributes",
                 "sns:SetTopicAttributes",
                 "sns:Publish"
           ],
           "Resource": "arn:aws:sns:region-id:account-id:my-topic-name"
     }]
}